mirror of
https://github.com/go-gitea/gitea.git
synced 2026-05-18 11:10:00 +00:00
02be228ed6
Adds [zizmor](https://docs.zizmor.sh/) to `make lint-actions` with `--min-confidence=medium`. Fixes the remaining findings: - Pin floating-tag service images in `pull-db-tests.yml` to `tag@sha256:digest` - Move `github.ref` / `github.ref_name` (and surrounding secrets/step outputs for consistency) out of `run:` into `env:` --- This PR was written with the help of Claude Opus 4.7 --------- Signed-off-by: silverwind <me@silverwind.io> Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com> Co-authored-by: Nicolas <bircni@icloud.com> Co-authored-by: Giteabot <teabot@gitea.io>
138 lines
4.9 KiB
YAML
138 lines
4.9 KiB
YAML
name: compliance
|
|
|
|
on:
|
|
pull_request:
|
|
|
|
concurrency:
|
|
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
|
|
cancel-in-progress: true
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
jobs:
|
|
files-changed:
|
|
uses: ./.github/workflows/files-changed.yml
|
|
|
|
lint-backend:
|
|
if: needs.files-changed.outputs.backend == 'true' || needs.files-changed.outputs.actions == 'true'
|
|
needs: files-changed
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
|
- uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
|
|
with:
|
|
go-version-file: go.mod
|
|
check-latest: true
|
|
cache: false
|
|
- uses: ./.github/actions/go-cache
|
|
with:
|
|
cache-name: lint-backend
|
|
lint-cache: "true"
|
|
- run: make deps-backend deps-tools
|
|
- run: TAGS="bindata" make generate-go # lint-go also lints with "bindata" tags which requires "_bindata.go"
|
|
- run: make lint-backend
|
|
|
|
lint-on-demand:
|
|
needs: files-changed
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
|
- uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
|
|
with:
|
|
go-version-file: go.mod
|
|
check-latest: true
|
|
cache: false
|
|
- uses: pnpm/action-setup@8912a9102ac27614460f54aedde9e1e7f9aec20d # v6.0.5
|
|
- uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
|
|
with:
|
|
node-version: 24
|
|
cache: pnpm
|
|
cache-dependency-path: pnpm-lock.yaml
|
|
|
|
- run: make lint-spell
|
|
|
|
- if: needs.files-changed.outputs.templates == 'true' || needs.files-changed.outputs.yaml == 'true' || needs.files-changed.outputs.actions == 'true'
|
|
uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
|
|
with:
|
|
python-version: 3.14
|
|
- if: needs.files-changed.outputs.templates == 'true' || needs.files-changed.outputs.yaml == 'true'
|
|
run: make deps-py lint-templates lint-yaml
|
|
|
|
- if: needs.files-changed.outputs.docs == 'true' || needs.files-changed.outputs.swagger == 'true' || needs.files-changed.outputs.json == 'true'
|
|
run: make deps-frontend lint-md lint-swagger lint-json
|
|
|
|
- if: needs.files-changed.outputs.actions == 'true'
|
|
run: make lint-actions
|
|
|
|
checks-backend:
|
|
if: needs.files-changed.outputs.backend == 'true' || needs.files-changed.outputs.actions == 'true'
|
|
needs: files-changed
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
|
- uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
|
|
with:
|
|
go-version-file: go.mod
|
|
check-latest: true
|
|
cache: false
|
|
- uses: ./.github/actions/go-cache
|
|
with:
|
|
cache-name: checks-backend
|
|
build-cache: "false"
|
|
- run: make deps-backend deps-tools
|
|
- run: make --always-make checks-backend # ensure the "go-licenses" make target runs
|
|
|
|
frontend:
|
|
if: needs.files-changed.outputs.frontend == 'true' || needs.files-changed.outputs.actions == 'true'
|
|
needs: files-changed
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
|
- uses: pnpm/action-setup@8912a9102ac27614460f54aedde9e1e7f9aec20d # v6.0.5
|
|
- uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
|
|
with:
|
|
node-version: 24
|
|
cache: pnpm
|
|
cache-dependency-path: pnpm-lock.yaml
|
|
- run: make deps-frontend
|
|
- run: make lint-frontend
|
|
- run: make checks-frontend
|
|
- run: make test-frontend
|
|
- run: make frontend
|
|
|
|
backend:
|
|
if: needs.files-changed.outputs.backend == 'true' || needs.files-changed.outputs.actions == 'true'
|
|
needs: files-changed
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
|
- uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
|
|
with:
|
|
go-version-file: go.mod
|
|
check-latest: true
|
|
cache: false
|
|
- uses: ./.github/actions/go-cache
|
|
with:
|
|
cache-name: compliance-backend
|
|
- run: make deps-backend generate-go
|
|
# no frontend build here as backend should be able to build, even without any frontend files
|
|
# CGO is not used when cross-compile, so these steps also test if the code is compatible with CGO disabled
|
|
- name: build-backend-arm64
|
|
run: go build -o gitea_linux_arm64
|
|
env:
|
|
GOOS: linux
|
|
GOARCH: arm64
|
|
TAGS: bindata gogit
|
|
- name: build-backend-windows
|
|
run: go build -o gitea_windows
|
|
env:
|
|
GOOS: windows
|
|
GOARCH: amd64
|
|
TAGS: bindata gogit
|
|
- name: build-backend-386
|
|
run: go build -o gitea_linux_386
|
|
env:
|
|
GOOS: linux
|
|
GOARCH: 386
|